Tagged: 

This topic has 13 replies, 3 voices, and was last updated 7 years, 8 months ago by sohanb.

  • Author
    Posts
  • #2794
     sohanb
    Participant

    Hi,

    I am following some docs to create application and service.
    I am creating service using ssoadm tool,
    eg : ./ssoadm create-svc -u amadmin -f /data/csbcit1/AandA/ssoadm/openam/bin/pwd.txt -X testSvc.xml

    In this service (testSvc.xml) i am able to add actions and values to actions, but i don’t know how can i add subject conditions in the service.
    So when i add this service to my application, while creating the policy under that application i can set my actions and subject conditions to that policy.

    I can see openAM 12 have some default conditions like “ALL Authenticated Users, User Groups” etc.

    Can you guide me here please. Where i can find a example.

    Thanks,
    Soha

    #2797
     Peter Major
    Moderator

    It sounds like you are following a possibly outdated guide. Could you elaborate on exactly what do you want to achieve? For reference it could be also beneficial to include the contents of your testSvc.xml.

    #2801
     sohanb
    Participant

    I want to create my own custom application with my own actions. When creating service I also want to add subject conditions like in openAm 12 there is default iplanetprowebagent application with action and conditions.

    I want to refer similar service XML file.

    Exapmles given by documents are mostly curl request.

    Thanks

    #2802
     Mike Jang
    Spectator

    Hi,

    Have you looked at the following: Procedure 3.2. To Configure a Policy by Using the OpenAM Console ?

    Step 5 of that procedure describes how you can add one of four subject condition type.

    Thanks,
    Mike

    #2803
     sohanb
    Participant

    Hi

    I want to know if I create my own application with my own actions how can I add conditions in my service XML.
    If I use option from openam directly to create application I can have limited set of action but I want to have my own action and condition.
    I can add my own action in my service XML but I don’t know how to add condition.
    Please show me xml example.

    Thanks

    #2804
     Peter Major
    Moderator

    There has been a lot of changes in 12 around policies. There are a few really good resources on how to use custom conditions:
    http://docs.forgerock.org/en/openam/12.0.0/dev-guide/index.html#chap-policy-spi
    https://github.com/markcraig/openam-policy-eval-sample

    As you can see implementing a custom condition now involves creating an EntitlementModule implementation which can register the custom conditions with short names, so the REST API and the policy editor is able to work with it. The EntitlementModule is found using the ServiceLoader mechanism (see the example project).
    Once you have your custom condition/subject/etc registered, creating a new application is as simple as:

    $ curl -v -X PUT -H "If-None-Match: *" -H "Content-Type: application/json" -H "iplanetdirectorypro: AQIC5wM2L..*" -d '{"name":"customApp","resources":["*://*:*/*?*","*://*:*/*"],"actions":{"SERVICE":true,"UPLOAD":true},"description":"My Custom Application.","attributeNames":[],"realm":"/","conditions":["AuthenticateToService","AuthLevelLE","AuthScheme","IPv6","SimpleTime","OAuth2Scope","IPv4","AuthenticateToRealm","OR","AMIdentityMembership","LDAPFilter","AuthLevel","SessionProperty","Session","NOT","AND","ResourceEnvIP","SampleCondition"],"subjects":["JwtClaim","AuthenticatedUsers","Identity","NOT","AND","NONE","OR"],"resourceComparator":null,"applicationType":"iPlanetAMWebAgentService","saveIndex":null,"searchIndex":null,"entitlementCombiner":"DenyOverride"}' http://openam.example.com:8080/openam/json/applications/customApp

    As you can see I’ve also specified custom actions in my request as well, and I didn’t have to fiddle with service XMLs at all.

    After creating a policy with UPLOAD=true for the http://example.com:80/* resource under the customApp application, performing evaluation is a simple matter of:

    $ curl -v -X POST -H "Content-Type: application/json" -H "iplanetdirectorypro: <adminToken>" -d '{"resources":["http://example.com:80/index.html"],"application":"customApp","subject":{"ssoToken":"<usertoken>"}}' http://openam.example.com:8080/openam/json/policies/?_action=evaluate
    • This reply was modified 7 years, 8 months ago by Peter Major.
    #2825
     sohanb
    Participant

    Thanks for reply.

    I am creating application using ssoadm tool.
    I have done this for openA 11.0.0. My applciation is getting added with service

    I will show you contents of each file with command:

    ********** create application type****************
    ./ssoadm create-appl-type -u amadmin -f /data/csbcit1/AandA/ssoadm/openam/bin/pwd.txt -D applType.txt -m “BTPolicyService”

    applType.txt
    actions=READ=true
    actions=UPDATE=true
    actions=DELETE=true
    actions=ADD-ACCESS=true
    resourceComparator=com.sun.identity.entitlement.URLResourceName
    saveIndexImpl=com.sun.identity.entitlement.util.ResourceNameIndexGenerator
    searchIndexImpl=com.sun.identity.entitlement.util.ResourceNameSplitter

    ********** Create application********************
    ./ssoadm create-appl -u amadmin -f /data/csbcit1/AandA/ssoadm/openam/bin/pwd.txt -D appl.txt -m “BTPolicyService” -e “/” -t “BTPolicyService”

    appl.txt

    actions=READ=true
    actions=UPDATE=true
    actions=DELETE=true
    actions=ADD-ACCESS=true
    resources= table://*
    entitlementCombiner=com.sun.identity.entitlement.DenyOverride
    resourceComparator=com.sun.identity.entitlement.URLResourceName
    conditions=com.sun.identity.admin.model.DnsNameViewCondition
    subjects=com.sun.identity.admin.model.IdRepoGroupViewSubject
    subjects=com.sun.identity.admin.model.IdRepoRoleViewSubject
    subjects=com.sun.identity.admin.model.IdRepoUserViewSubject
    subjects=com.sun.identity.admin.model.VirtualViewSubject
    subjects=com.sun.identity.admin.model.AttributeViewSubject
    subjects=com.sun.identity.admin.model.OrViewSubject
    subjects=com.sun.identity.admin.model.AndViewSubject
    subjects=com.sun.identity.admin.model.NotViewSubject
    conditions=dateRange
    conditions=daysOfWeek
    conditions=dnsName
    conditions=ipRange
    conditions=timeRange
    conditions=timezone
    conditions=or
    conditions=and
    conditions=not

    ********** create service***************
    ./ssoadm create-svc -u amadmin -f /data/csbcit1/AandA/ssoadm/openam/bin/pwd.txt -X testSvc.xml

    testSvc.xml
    <?xml version=”1.0″ encoding=”UTF-8″?>
    <!DOCTYPE ServicesConfiguration SYSTEM “jar://com/sun/identity/sm/sms.dtd”>
    <ServicesConfiguration>
    <Service name=”BTPolicyService” version=”1.0″>
    <Schema serviceHierarchy=”/DSAMEConfig/BTPolicyService” i18nFileName=”BTPolicyService” i18nKey=”BTPolicyService”>
    <Global>
    <AttributeSchema name=”serviceObjectClasses” type=”list” syntax=”string” i18nKey=”BTPolicyService”/>
    </Global>
    <Policy>
    <AttributeSchema i18nKey=”READ” name=”READ” syntax=”boolean” type=”single” uitype=”radio” >
    <IsResourceNameAllowed></IsResourceNameAllowed>
    <BooleanValues>
    <BooleanTrueValue>true</BooleanTrueValue>
    <BooleanFalseValue>false</BooleanFalseValue>
    </BooleanValues>
    </AttributeSchema>
    <AttributeSchema i18nKey=”DELETE” name=”DELETE” syntax=”boolean” type=”single” uitype=”radio” >
    <IsResourceNameAllowed></IsResourceNameAllowed>
    <BooleanValues>
    <BooleanTrueValue>true</BooleanTrueValue>
    <BooleanFalseValue>false</BooleanFalseValue>
    </BooleanValues>
    </AttributeSchema>
    <AttributeSchema i18nKey=”UPDATE” name=”UPDATE” syntax=”boolean” type=”single” uitype=”radio” >
    <IsResourceNameAllowed></IsResourceNameAllowed>
    <BooleanValues>
    <BooleanTrueValue>true</BooleanTrueValue>
    <BooleanFalseValue>false</BooleanFalseValue>
    </BooleanValues>
    </AttributeSchema>
    <AttributeSchema i18nKey=”ADD-ACCESS” name=”ADD-ACCESS” syntax=”boolean” type=”single” uitype=”radio” >
    <IsResourceNameAllowed></IsResourceNameAllowed>
    <BooleanValues>
    <BooleanTrueValue>true</BooleanTrueValue>
    <BooleanFalseValue>false</BooleanFalseValue>
    </BooleanValues>
    </AttributeSchema>
    </Policy>
    </Schema>
    </Service>
    <Conditions name=”conditions” description=”description”>
    <Condition name=”authenticatetoservice” type=”AuthenticateToService”>
    <AttributeValue DataType=”urn:sun:opensso:entitlement:json-subject-type:org.forgerock.openam.entitlement.conditions.subject.AuthenticatedUsers” privilegeComponent=”entitlementSubject”>{}</AttributeValue>
    </Condition>
    </Conditions>
    </ServicesConfiguration>

    You can see command and content of each file above.
    What is wrong with my condition, are the classes package changed?

    Thanks

    #2826
     Peter Major
    Moderator

    Let me try to reiterate:
    There has been a lot of changes in 12 around policies.

    The methods used with 11 to create custom applications don’t quite apply with 12 any more. Also you don’t have to create a new applicationtype to have different sets of actions or conditions, you could just create a new application with the iPlanetAMWebAgentService application type and override those values (like I did above).
    Moreover for custom conditions you should look at the new example policy plugin project (link above), as you now need to implement a different interface than what you had to with 11.

    #2833
     sohanb
    Participant

    Thanks that helped a lot.
    I can also create application now using ssoadm tool, for that i had to change few things in my appl.txt file.

    something like this:
    appl.txt
    actions=READ=true
    actions=UPDATE=true
    actions=DELETE=true
    actions=ADD-ACCESS=true
    resources= table://*
    entitlementCombiner=com.sun.identity.entitlement.DenyOverride
    resourceComparator=com.sun.identity.entitlement.URLResourceName
    subjects=Identity
    subjects=NOT
    subjects=NONE
    subjects=AND
    subjects=OR
    conditions=ResourceEnvIP
    conditions=AuthenticateToService
    conditions=AuthLevelLE
    conditions=AuthLevel
    conditions=daysOfWeek
    conditions=dnsName

    Thanks

    #2834
     Peter Major
    Moderator

    Good to hear it’s working. I can see now that I failed to mention that all of this is still doable through ssoadm, only the values have slightly changed (from long FQDNs to shorter more readable names that needs to be registered by using EntitlementModules)…

    #2836
     sohanb
    Participant

    thanks for help till date

    Cheers,
    Sohan

    #2837
     sohanb
    Participant

    Last question on this,

    SO now i don’t require to create service using ssoadm ?

    I am bit confused between create-svc and create-appl, is create-svc link something to application?

    Where in picture i can make use of service ?

    Thanks,
    Sohan

    #2839
     Peter Major
    Moderator

    Creating the service is/was only necessary when evaluating policies via PLL (as that still leverages the old policy framework for backwards compatibility reasons). The shiny new REST API with the evaluate _action doesn’t need the service.

    #2855
     sohanb
    Participant

    OKay got it now…

    So this overcomes all evaluation of policies without creating service. So now i have few steps reduced using openAM 12.0.0. and that’s good.

    I will be using
    http://openam.example.com:8080/openam/json/policies?_action=evaluate as per our discussion.

    Many Thanks,
    Sohan

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?